Tuesday, 17 September 2013

Crackmes [Reverse] - kaliba CrackMe [very easy level]

In this task we are provided with a binary that asks for a serial code.
After you provide some arbitrary serial number, application rejects it. You may be quite lucky to guess it.

Let's dive into assembly code. Firstly we will look at strings. There are couple of strings. First one serves to change console title. It is successfully parsed by IDA, however others are treated as DWORDs  You may find out that following bytes after this string are also ascii characters. Other strings are:
Type your serial
Right Crack, now write a KeyGen
Ops! Wrong serial, try again.
%d%c%d%c%d
We are interested in "Right Crack ..." string , let's find it's usage. It's being placed on the stack and then it is used to print congratulation message after receiving valid serial.

Right crack string
Pushing it on the stack

Printing
So we have to get to the location specified on the printing picture. We have to understand what is happenning starting from the call to the scanf function which is used to get the serial number.
scanf 
We can see that format string is %d%c%d%c%d so your serial number should contain 3 numbers delimited by any non-digit character. Then you can see that some simple calculation is done with the first scanned number and is being compared to the other scanned numbers. To make it easier to follow the flow of operations you may want to rename stack variables. In IDA there is a hotkey 'n' to rename autogenerated name. You can understand serial number logic from keygen.

KeyGen:
prng = Random.new()
d1 = prng.rand(1000)
d2 = 2 * (10 * d1 + 125) + 68
d3 = 2 * (2 * d1 + 253) + 3 + d2
puts "Hi! Your key is:"
puts "#{d1}#{prng.rand(255).chr}#{d2}#{prng.rand(255).chr}#{d3}"

This keygen won't work in some cases because character delimeters can be digits with appr. probability 4%.

Proof:


No comments:

Post a Comment